From 3c5f477b6e6cbd0645fd688f225a04abf148f2d1 Mon Sep 17 00:00:00 2001 From: Sam Minnee Date: Mon, 3 Aug 2009 03:13:17 +0000 Subject: [PATCH] BUGFIX: Dealt with some undefined vairable bugs in SiteTree::can_edit_multiple git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@83494 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- core/model/SiteTree.php | 122 +++++++++++++++++++++------------------- 1 file changed, 63 insertions(+), 59 deletions(-) diff --git a/core/model/SiteTree.php b/core/model/SiteTree.php index 1e3c947a2..fcea1d189 100644 --- a/core/model/SiteTree.php +++ b/core/model/SiteTree.php @@ -857,69 +857,71 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid set_time_limit(0); // Default result: nothing editable $result = array_fill_keys($ids, false); + if($ids) { - // Look in the cache for values - if($useCached && isset(self::$cache_permissions['edit'])) { - $cachedValues = array_intersect_key(self::$cache_permissions['edit'], $result); + // Look in the cache for values + if($useCached && isset(self::$cache_permissions['edit'])) { + $cachedValues = array_intersect_key(self::$cache_permissions['edit'], $result); - // If we can't find everything in the cache, then look up the remainder separately - $uncachedValues = array_diff_key($result, self::$cache_permissions['edit']); - if($uncachedValues) { - $cachedValues = self::can_edit_multiple(array_keys($uncachedValues), $memberID, false) - + $cachedValues; - } - return $cachedValues; - } - - // If a member doesn't have CMS_ACCESS_CMSMain permission then they can't edit anything - if(!$memberID || !Permission::checkMember($memberID, 'CMS_ACCESS_CMSMain')) { - return $result; - } - - // Sanitise the IDs - $ids = array_filter($ids, 'is_numeric'); - $SQL_idList = implode($ids, ", "); - - // if page can't be viewed, don't grant edit permissions - // to do - implement can_view_multiple(), so this can be enabled - //$ids = array_keys(array_filter(self::can_view_multiple($ids, $memberID))); - - // Get the groups that the given member belongs to - //Debug::message("can_edit_multiple"); - $groupIDs = DataObject::get_by_id('Member', $memberID)->Groups()->column("ID"); - $SQL_groupList = implode(", ", $groupIDs); - - // Get the uninherited permissions - $uninheritedPermissions = DataObject::get("SiteTree", "(CanEditType = 'LoggedInUsers' OR - (CanEditType = 'OnlyTheseUsers' AND \"SiteTree_EditorGroups\".SiteTreeID IS NOT NULL)) - AND \"SiteTree\".ID IN ($SQL_idList)", - "", - "LEFT JOIN \"SiteTree_EditorGroups\" - ON \"SiteTree_EditorGroups\".\"SiteTreeID\" = \"SiteTree\".\"ID\" - AND \"SiteTree_EditorGroups\".\"GroupID\" IN ($SQL_groupList)"); - - if($uninheritedPermissions) { - // Set all the relevant items in $result to true - $result = array_fill_keys($uninheritedPermissions->column('ID'), true) + $result; - } - - // Get permissions that are inherited - $potentiallyInherited = DataObject::get("SiteTree", "CanEditType = 'Inherit' - AND \"SiteTree\".ID IN ($SQL_idList)"); - - if($potentiallyInherited) { - // Group $potentiallyInherited by ParentID; we'll look at the permission of all those - // parents and then see which ones the user has permission on - foreach($potentiallyInherited as $item) { - $groupedByParent[$item->ParentID][] = $item->ID; + // If we can't find everything in the cache, then look up the remainder separately + $uncachedValues = array_diff_key($result, self::$cache_permissions['edit']); + if($uncachedValues) { + $cachedValues = self::can_edit_multiple(array_keys($uncachedValues), $memberID, false) + + $cachedValues; + } + return $cachedValues; } - $actuallyInherited = self::can_edit_multiple(array_keys($groupedByParent), $memberID); - if($actuallyInherited) { - $parentIDs = array_keys(array_filter($actuallyInherited)); - foreach($parentIDs as $parentID) { - // Set all the relevant items in $result to true - $result = array_fill_keys($groupedByParent[$parentID], true) + $result; + // If a member doesn't have CMS_ACCESS_CMSMain permission then they can't edit anything + if(!$memberID || !Permission::checkMember($memberID, 'CMS_ACCESS_CMSMain')) { + return $result; + } + + // Sanitise the IDs + $ids = array_filter($ids, 'is_numeric'); + $SQL_idList = implode($ids, ", "); + + // if page can't be viewed, don't grant edit permissions + // to do - implement can_view_multiple(), so this can be enabled + //$ids = array_keys(array_filter(self::can_view_multiple($ids, $memberID))); + + // Get the groups that the given member belongs to + //Debug::message("can_edit_multiple"); + $groupIDs = DataObject::get_by_id('Member', $memberID)->Groups()->column("ID"); + $SQL_groupList = implode(", ", $groupIDs); + + // Get the uninherited permissions + $uninheritedPermissions = DataObject::get("SiteTree", "(CanEditType = 'LoggedInUsers' OR + (CanEditType = 'OnlyTheseUsers' AND \"SiteTree_EditorGroups\".SiteTreeID IS NOT NULL)) + AND \"SiteTree\".ID IN ($SQL_idList)", + "", + "LEFT JOIN \"SiteTree_EditorGroups\" + ON \"SiteTree_EditorGroups\".\"SiteTreeID\" = \"SiteTree\".\"ID\" + AND \"SiteTree_EditorGroups\".\"GroupID\" IN ($SQL_groupList)"); + + if($uninheritedPermissions) { + // Set all the relevant items in $result to true + $result = array_fill_keys($uninheritedPermissions->column('ID'), true) + $result; + } + + // Get permissions that are inherited + $potentiallyInherited = DataObject::get("SiteTree", "CanEditType = 'Inherit' + AND \"SiteTree\".ID IN ($SQL_idList)"); + + if($potentiallyInherited) { + // Group $potentiallyInherited by ParentID; we'll look at the permission of all those + // parents and then see which ones the user has permission on + foreach($potentiallyInherited as $item) { + $groupedByParent[$item->ParentID][] = $item->ID; + } + + $actuallyInherited = self::can_edit_multiple(array_keys($groupedByParent), $memberID); + if($actuallyInherited) { + $parentIDs = array_keys(array_filter($actuallyInherited)); + foreach($parentIDs as $parentID) { + // Set all the relevant items in $result to true + $result = array_fill_keys($groupedByParent[$parentID], true) + $result; + } } } } @@ -1001,6 +1003,8 @@ class SiteTree extends DataObject implements PermissionProvider,i18nEntityProvid } else { $deletable = $editableIDs; } + } else { + $deletable = array(); } // Convert the array of deletable IDs into a map of the original IDs with true/false as the